A.2 System-Based Model
A.2.7 Identity Verification Process
The IDMS shall receive the completed package for PIV from Enrollment. The IDMS shall verify the integrity of that package by confirming completeness, accuracy, and digital signatures.
The IDMS shall provide a means to confirm employment and sponsorship as identified in the package.
The IDMS shall perform a 1:many search to assure that the individual identified in the package has not applied previously under a different name.
The IDMS shall conduct the appropriate identity verification and validation using government-wide databases and services in accordance with HSPD-11.
The Approval Authority shall provide adjudication of identity claim should any of these three core checks identify a potential risk.
After successful completion of the appropriate identity verification process, the Approval Authority shall approve card production for the credential. The Approval Authority may approve issuance of a PIV credential prior to completion of all core checks for identity verification and validation if these processes exceed ten days.
The IDMS shall be responsible to maintain:
1. Completed and signed PIV enrollment package;
2. Copies of the identity source documents;
3. Completed and signed background form received from the Applicant;
4. Results of the required background check;
5. Any other materials used to prove the identity of the Applicant;
6. The credential identifier such as an identity credential serial number;
7. The expiration date of the identity credential;
8. Unique minimal identity record for each approved Applicant;
9. Separated database indexed to the minimal identity record containing the original biometric data captured at enrollment. These data shall be encrypted at rest; and
10. Separated database of biometric data indexed to the minimal identity record supporting AFIS for 1:many identity checking.
The IDMS shall provide services that:
1. Notify the Employee/Contractor Applicant of status of the PIV;
2. Notify the Employer of status of the PIV; and
3. Enable validation by anyone inquiring if an issued credential is still valid.
The IDMS shall provide complete personalization and printing information for card production for all approved PIV credentials as required by the supporting card production facility’s requirements. This information shall be provided to enable the full chain of trust between the individual, the issuer, the identity verification performed, the credential and the biometric.
A.2.8
A.2.9
A.2.10
Card Production, Activation and Issuance
Card production may be performed either centrally or in a distributed location. The IDMS shall track the status of a PIV credential throughout its life cycle, from initial production request, personalization and printing, activation and issuance, suspension, revocation and destruction.
Card production services shall—
1. Maintain full inventory control of blank initialized or pre-issued (e.g. with the manufacturers keys) stock, consumables and manufacturing materials;
2. Maintain a list of approved IDMS systems that can submit PIV requests for card production, 3. Provide acknowledgement of IDMS request to produce a PIV;
4. Notify the IDMS upon completion of PIV credential production;
5. Maintain a list of approved Issuers that can activate and issue PIV credentials;
6. Only send information regarding production of PIV credentials to approved authorities;
7. Only send fully completed and personalized PIV credentials to approved Issuing Agents; and 8. Document, implement, and maintain a Card Production, Activation and Issuance Security Policy.
At time of activation, the Issuer shall establish that the individual seeking to activate their PIV credential is the individual who applied for the PIV with a 1:1 biometric verification to the IDMS. Once confirmed, the Issuer shall activate the credential.
Suspension, Revocation and Destruction
It is important to keep track of active cards as well as lost, stolen and expired cards. A card registry for all cards issued shall be established and maintained.
Re-issuance to Current PIV Credential Holders
When issuing or re-issuing identity credentials to current employees, the Issuing Authority shall—
1. Insure the IDMS record for this individual states the credential is not expired;
2. Verify the individual with a 1:1 biometric match against the IDMS record;
3. Verify the individual against the IDMS record digital photograph;
4. Recapture biometrics;
5. Issue a new credential and update the IDMS record; and
6. The recaptured biometrics and new credential record shall be digitally signed by the Issuing Authority.
Appendix B—PIV Validation, Certification, and Accreditation
B.1 Accreditation of PIV Service Providers
[HSPD-12] requires that all cards be issued by providers whose reliability has been established by an official accreditation process. Funding permitting, NIST will establish detailed criteria that PIV Card issues must meet for accreditation. Additionally, NIST will (again, funding permitting) establish a government-wide program to accredit official issuers of PIV Cards against these accreditation criteria.
Until such time as these are completed, agencies must self-certify their own issuers of PIV Cards.
B.2 Security Certification and Accreditation of IT System(s)
In order to accomplish the accreditation of PIV service providers as described above, and to be compliant with the provisions of OMB Circular A-130, App. III, the IT system(s) used by PIV service providers must also be certified in accordance with NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system. NIST SP 800-37 provides a formal framework for certification, along with specific requirements for validating and obtaining certificates for the PIV modules described below. [SP800-37]
B.3 Conformance of PIV Components to this Standard
NIST plans to develop a PIV validation program that will test implementations for conformance with this standard. Note that the following is not requirements until NIST establishes a program. Information on this program will be published at http://csrc.nist.gov/npivp as it becomes available.
A PIV system is FIPS 201-compliant after each of its constituent components (card, reader, issuer software, and registration database) has met its individual validation requirements. Because these individual validation requirements are based on different standards and no single test laboratory is accredited for validating products built to all these standards, a PIV system has to undergo testing and consequent validation through multiple validation facilities. The PIV components and currently available validation requirements are summarized in Table B-1.
Table B-1. PIV System Components and Validation Requirements
PIV Component Validation Requirement(s)
PIV ICC
ISO/IEC 7816, ISO/IEC 10373 (Parts 1 and 3) ISO/IEC 14443 (Parts 1-4), ISO/IEC 10373 (Part 6) Crypto Modules—FIPS 140-2
PIV Reader PC/SC
Card Issuance and Maintenance System Crypto Modules—FIPS 140-2
B.4 Cryptographic Testing and Validation (FIPS 140-2 and algorithm standards) All the cryptographic modules in the PIV system (both on-card and issuer software) shall be validated to FIPS 140-2 with an overall Security Level 2 (or higher). [FIPS140-2] The facilities for FIPS 140-2 testing are the Cryptographic Module Testing (CMT) laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) program of NIST. Vendors wanting to supply
cryptographic modules for the PIV system can select any of the accredited laboratories. The tests conducted by these laboratories for all vendor submissions are validated and a validation certificate for each vendor module is issued by the Cryptographic Module Validation Program (CMVP), a joint prog run by NIST and
ram Communications Security Establishment (CSE) of the Government of Canada. The details of the CMVP and NVLAP programs and the list of CMT laboratories can be found at the CMVP Web site at http://csrc.ncsl.nist.gov/cryptval.
Appendix C—Background Check Descriptions
The following describes the details of a National Agency Check (NAC) and a National Agency Check with Inquiries (NACI).
+ NAC. The NAC is part of every NACI. Standard NACs are Security/Suitability Investigations Index (SII), Defense Clearance and Investigation Index (DCII), FBI Name Check, and FBI National
Criminal History Fingerprint Check.
+ NACI. The basic and minimum investigation required on all new Federal employees consisting of a NAC with written inquiries and searches of records covering specific areas of an individual’s
background during the past five years (inquiries sent to current and past employers, schools attended, references, and local law enforcement authorities). Coverage includes:
– Employment, 5 years
– Education, 5 years and highest degree verified – Residence, 3 years
– References
– Law Enforcement, 5 years – NACs
Appendix D—PIV Object Identifiers and Certificate Extension
D.1 PIV Object Identifiers
Table D-1 lists details for PIV object identifiers.
Table D-1. PIV Object Identifiers
ID Object Identifier Description
PIV eContent Types
id-PIV-CHUIDSecurityObject 2.16.840.1.101.3.6.1 The associated content is the concatenated contents of the CHUID, excluding the authentication key map and the asymmetric signature field.
id-PIV-biometricObject 2.16.840.1.101.3.6.2 The associated content is the concatenated CBEFF_HEADER + STD_BIOMETRIC_RECORD.
PIV Attributes
pivCardholder-Name 2.16.840.1.101.3.6.3 The attribute value is of type DirectoryString and specifiesthe PIV cardholder’s name.
pivCardholder-DN 2.16.840.1.101.3.6.4 The attribute value is an X.501 type Name and specifies the DN associated with the PIV cardholder in the PIV certificate(s).
pivSigner-DN 2.16.840.1.101.3.6.5 The attribute value is an X.501 type Name and specifies the subject name that appears in the PKI certificate for the entity that signed the biometric or CHUID.
pivFASC-N 2.16.840.1.101.3.6.6 The pivFASC-N OID may appear as a name type in the otherName field of the subjectAltName extension of X.509 certificates or a signed attribute in CMS external signatures. Where used as a name type, the syntax is OCTET STRING. Where used as an attribute, the attribute value is of type OCTET STRING. In each case, the value specifies the FASC-N of the PIV card.
PIV Extended Key Usage
id-PIV-content-signing 2.16.840.1.101.3.6.7 This specifies that the public key may be used to verify signatures on PIV CHUIDs and PIV biometrics.
id-PIV-cardAuth 2.16.840.1.101.3.6.8 This specifies that the public key is used to authenticate the PIV card rather than the PIV cardholder.
D.2 PIV Certificate Extension
The PIV NACI indicator extension indicates the status of the subject’s background investigation at the time of credential issuance. The PIV NACI indicator extension is always non-critical, and SHALL appear in all PIV authentication certificates. The value of this extension is asserted as follows:
+ TRUE if, at the time of credential issuance, (1) the FBI National Criminal History Fingerprint Check has completed successfully, and (2) a NACI has been initiated but has not completed.
+ FALSE if, at the time of credential issuance, the subject’s NACI has been completed and successfully adjudicated.
Note that PIV authentication certificates MUST NOT be issued to a subject if — + a NACI has been completed unsuccessfully;
+ the FBI National Criminal History Fingerprint Check has not completed; or + a NACI has not yet been initiated.
The PIV NACI indicator extension is identified by the id-piv-NACI object identifier. The syntax for this extension is defined by the following ASN.1 module. See an important change notice at the end of this document.
PIV_Cert_Extensions { 2 16 840 1 101 3 6 10 1 } DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL -- -- IMPORTS NONE --
id-piv-NACI OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 } NACI_indicator ::= BOOLEAN DEFAULT FALSE
END
Appendix E—Physical Access Control Mechanisms
The Government Smart Card Interagency Advisory Board’s Physical Security Interagency
Interoperability Working Group publication Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems (PACS) provides guidance on physical access for various assurance profiles. Table C-1 describes the relationship between the PACS assurance levels and the PIV identity authentication levels defined in Section 6.1.
Table E-1. PIV Support of PACS Assurance Profiles
PACS Assurance Profile PIV Identity Authentication Assurance Levels
PACS Low SOME confidence
PACS Medium SOME confidence PACS High (without PIN) SOME confidence PACS High (with PIN) VERY HIGH confidence
Appendix F—Glossary of Terms, Acronyms, and Notations
F.1 Glossary of Terms
The following terms are used throughout this standard.
Access Control: The process of granting or denying specific requests: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances).
Applicant: An individual applying for a PIV Card/credential. The Applicant may be a current or prospective Federal hire, a Federal employee, or a contractor.
Application: A hardware/software system implemented to satisfy a particular set of requirements. In this context, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.
Approved: FIPS approved or NIST recommended. An algorithm or technique that is either (1) specified in a FIPS or a NIST recommendation or (2) adopted in a FIPS or NIST recommendation.
Architecture: A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).
Asymmetric Keys: Two related keys, a public key and a private key, that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
Authentication: The process of establishing confidence of authenticity; in this case, in the validity of a person’s identity and the PIV Card.
Biometric: A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an Applicant. Facial images, fingerprints, and iriscan samples are all examples of biometrics.
Biometric Information: The stored electronic information pertaining to a biometric. This information can be in terms of raw or compressed pixels or in terms of some characteristic (e.g., patterns).
Biometric System: An automated system capable of the following:
+ Capturing a biometric sample from an end user + Extracting biometric data from that sample
+ Comparing the extracted biometric data with data contained in one or more references + Deciding how well they match
+ Indicating whether or not an identification or verification of identity has been achieved.
Capture: The method of taking a biometric sample from an end user. [INCITS/M1-040211]
Cardholder: An individual possessing an issued PIV Card.
Certificate Revocation List: A list of revoked public key certificates created and digitally signed by a Certification Authority. [RFC 3280]
Certification: The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.
Certification Authority: A trusted entity that issues and revokes public key certificates.
Claimant: A party whose identity is to be verified using an authentication protocol.
Comparison: The process of comparing a biometric with a previously stored reference. See also
“Identification” and “Identity Verification”. [INCITS/M1-040211]
Component: An element of a large system, such as an identity card, PIV Issuer, PIV Registrar, card reader, or identity verification support, within the PIV system.
Conformance Testing: A process established by NIST within its responsibilities of developing, promulgating, and supporting FIPS for testing specific characteristics of components, products, and services, as well as people and organizations for compliance with a FIPS.
Credential: Evidence attesting to one’s right to credit or authority; in this standard, it is the PIV Card and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.
Cryptographic Key (Key): A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.
Federal Information Processing Standards (FIPS): A standard for adoption and use by Federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology to achieve a common level of quality or some level of interoperability.
Framework: A structured description of a topic of interest, including a detailed statement of the
problem(s) to be solved and the goal(s) to be achieved. An annotated outline of all the issues that must be addressed while developing acceptable solutions to the problem(s). A description and analysis of the constraints that must be satisfied by an acceptable solution and detailed specifications of acceptable approaches to solving the problems(s).
Graduated Security: A security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.
Hash-Based Message Authentication Code (HMAC): A message authentication code that uses a cryptographic key in conjunction with a hash function.
Hash Function: A function that maps a bit string of arbitrary length to a fixed length bit string.
Approved hash functions satisfy the following properties:
1. One-Way. It is computationally infeasible to find any input that maps to any pre-specified output.
2. Collision Resistant. It is computationally infeasible to find any two distinct inputs that map to the same output.
Identification: The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.
Identifier: Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers.
Identity: The set of physical and behavioral characteristics by which an individual is uniquely recognizable.
Identity Binding – Binding of the vetted claimed identity to the individual (through biometrics)
according to the issuing authority. Represented by an identity assertion from the issuer that is carried by a PIV credential.
Identity Management System (IDMS) – Identity management system comprised of one or more systems or applications that manages the identity verification, validation and issuance process.
Identity Proofing: The process of providing sufficient information (e.g., identity history, credentials, documents) to a PIV Registrar when attempting to establish an identity.
Identity Registration: The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.
Identity Verification: The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card or system and associated with the identity being claimed.
Information in Identifiable Form (IIF): Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
[E-Gov]
Interoperability: For the purposes of this standard, interoperability allows any government facility or information system, regardless of the PIV Issuer, to verify a cardholder’s identity using the credentials on the PIV Card.
Issuer: The organization that is issuing the PIV Card to an Applicant. Typically this is an organization for which the Applicant is working.
JPEG: A standardized image compression function originally established by the Joint Photographic Experts Group.
Key: See “Cryptographic Key”.
Match/Matching: The process of comparing biometric information against a previously stored biometric data and scoring the level of similarity.
Message Authentication Code (MAC): A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data.
Model: A very detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component.
Off-Card: Refers to data that is not stored within the PIV Card or to a computation that is not performed by the Integrated Circuit Chip (ICC) of the PIV Card.
On-Card: Refers to data that is stored within the PIV Card or to a computation that is performed by the Integrated Circuit Chip (ICC) of the PIV Card.
One-to-Many: Synonym for “Identification”. [INCITS/M1-040211]
Online Certificate Status Protocol (OCSP): An online protocol used to determine the status of a public key certificate. [RFC 2560]
Personal Identification Number (PIN): A secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.
Personal Identity Verification (PIV) Card: A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer
Personal Identity Verification (PIV) Card: A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer